Change log for SQUID_WEBPROXY

Date Changes
2025-08-07 Enhancement:
- Modified the grok pattern to parse timestamp with extra spaces.
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped from a combination of `day1`, `month1`, `year1`, `time1`, and `timezone1` raw log fields when timestamp_value is not present.
- Added conditional check for time_value: If `time_value` is empty, the timestamp is derived from `day1`, `month1`, `year1`, `time1`, and `timezone1`.
2025-07-22 Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped time_value raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field.
- event.idm.read_only_udm.additional.fields: Newly mapped `transaction.timing.gmt_time`, `transaction.timing.local_time` and `result_code` raw log field to `event.idm.read_only_udm.additional.fields` UDM field.
- Added a date filter to parse `timestamp_value` when it matches the `dd/MMM/yyyy:HH:mm:ss Z` format.
- Refactored parser logic to dynamically map multiple raw log fields to `event.idm.read_only_udm.additional.fields` and `event.idm.read_only_udm.target.resource.attribute.labels` for improved maintainability.
- Updated event type logic: Events have both a principal and target are now classified as NETWORK_CONNECTION.
2025-07-11 Enhancement:
- `event.idm.read_only_udm.target.application`: Newly mapped `env.application` raw log field with `event.idm.read_only_udm.target.application` UDM field.
- `event.idm.read_only_udm.target.hostname`: Newly mapped `env.host` raw log field with `event.idm.read_only_udm.target.hostname` UDM field.
- `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `env.host` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field.
- `event.idm.read_only_udm.target.resource.name`: Newly mapped `env.instance` raw log field with `event.idm.read_only_udm.target.resource.name` UDM field.
- `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `env.class`, `env.cname`, `env.nom`, `env.site`, `env.st`, `env.uniq_hname` raw log fields with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field.
- `event.idm.read_only_udm.additional.fields`: Newly mapped `http.access_control.ident`, `http.request.status`, `http.request.headers_size`, `http.request.hierarchy_status`, `http.request.http_version`, `http.response.content_type`, `http.response.headers_size`, `http.response.type`, `http.response.peer_code`, `http.response.xpowby`, `http.response.xrid`,`http.timing.peer_rsp_time`, `http.timing.peer_total_time`, `http.timing.rsp_time`, `transaction.connection.client_remote_port`, `transaction.connection.peer_local_port`, `transaction.connection.peer_remote_port`, `transaction.timing.dns_lookup`, `transaction.timing.epoch` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field.
- `event.idm.read_only_udm.principal.user.userid`: Newly mapped `http.access_control.user` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field.
- `event.idm.read_only_udm.network.http.method`: Newly mapped `http.request.method` raw log field with `event.idm.read_only_udm.network.http.method` UDM field.
- `event.idm.read_only_udm.target.url`: Newly mapped `http.request.url` raw log field with `event.idm.read_only_udm.target.url` UDM field.
- `event.idm.read_only_udm.intermediary.ip`: Newly mapped `http.request.xff` raw log field with `event.idm.read_only_udm.intermediary.ip` UDM field.
- `event.idm.read_only_udm.network.http.referer`: Newly mapped `http.request.referer` raw log field with `event.idm.read_only_udm.network.http.referer` UDM field.
- `event.idm.read_only_udm.network.sent_bytes`: Newly mapped `http.request.total_size` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field.
- `event.idm.read_only_udm.target.port`: Newly mapped `http.request.url_port` raw log field with `event.idm.read_only_udm.target.port` UDM field.
- `event.idm.read_only_udm.network.http.response_code`: Newly mapped `http.response.code` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field.
- `event.idm.read_only_udm.network.received_bytes`: Newly mapped `http.response.total_size` raw log field with `event.idm.read_only_udm.network.received_bytes` UDM field.
- `event.idm.read_only_udm.principal.ip`: Newly mapped `transaction.connection.client_local_ip` and `transaction.connection.client_remote_ip` raw log fields with `event.idm.read_only_udm.principal.ip` UDM field.
- `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `transaction.connection.client_local_ip` and `transaction.connection.client_remote_ip` raw log fields with `event.idm.read_only_udm.principal.asset.ip` UDM field.
- `event.idm.read_only_udm.principal.port`: Newly mapped `transaction.connection.client_local_port` raw log field with `event.idm.read_only_udm.principal.port` UDM field.
- `event.idm.read_only_udm.target.ip`: Newly mapped `transaction.connection.peer_local_ip` and `transaction.connection.peer_remote_ip` raw log fields with `event.idm.read_only_udm.target.ip` UDM field.
- `event.idm.read_only_udm.target.asset.ip`: Newly mapped `transaction.connection.peer_local_ip` and `transaction.connection.peer_remote_ip` raw log fields with `event.idm.read_only_udm.target.asset.ip` UDM field.
2025-07-09 Enhancement:
- Added grok patterns to parse unparsed logs.
- Replaced `squid_webproxy.include` with actual code.
- Removed redundant code for `event.idm.read_only_udm.network.http.user_agent`.
- Added `on_error` for all `replace` block.
- If `has_principal` is `true` and (has_target is `true` or has_target_url is `true`) and app_proto is `HTTP` or `HTTPS`, then set `event.idm.read_only_udm.metadata.event_type` to `NETWORK_HTTP`.
- If `app_proto` is "" and has_principal is `true` and method is not "" and has_target is `true`, then set `event.idm.read_only_udm.metadata.event_type` to `NETWORK_UNCATEGORIZED`.
- If `has_target` is `true` and has_target is `true`, then set `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION`.
- If `has_principal` is `true` and has_target is `false` and method is not "", then set `event.idm.read_only_udm.metadata.event_type` to `STATUS_UNCATEGORIZED`.
- If `has_principal` is `true` and has_target is `false`, then set `event.idm.read_only_udm.metadata.event_type` to `STATUS_UPDATE`.
- If none of the above conditions are met, then set `event.idm.read_only_udm.metadata.event_type` to `GENERIC_EVENT`.
2025-04-08 Enhancement:
- Added a Grok pattern in order to parse the logs with syslog format.
- "event.idm.read_only_udm.additional.fields": Newly mapped "squid_instance", "tcp_tunnel", "hier_direct" raw log fields with "event.idm.read_only_udm.additional.fields" UDM field.
- Added a condition to check if "url" raw log field is not null before mapping with "event.idm.read_only_udm.target.url" UDM field.
2025-03-26 Enhancement:
- Added a Grok pattern to parse new format of syslog logs.
- Mapped "user_agent" to "network.http.user_agent" and "network.http.parsed_user_agent".
2025-02-27 Enhancement:
- When "action" is "TCP_MISS" then mapped "ALLOW" to "security_result.action".
2024-11-04 Enhancement:
- Added support to map data from JSON logs.
- Mapped "region" to "principal.cloud.availability_zone".
- Mapped "source_type" to "additional.fields".
2024-09-11 Enhancement:
- Mapped "when" to "metadata.event_timestamp" as primary timestamp.
2024-08-15 Enhancement:
- Mapped "timestamp_value" to "metadata.event_timestamp".
2024-04-03 Enhancement:
- Mapped "user_agent" to "network.http.user_agent".
- Mapped "recv_bytes" to "network.received_bytes".
- Mapped "sent_bytes" to "network.sent_bytes".
- Mapped "src_port" to "principal.port".
- Aligned mappings for "principal.ip" and "principal.asset.ip".
- Aligned mappings for "target.ip" and "target.asset.ip".
- Aligned mappings for "target.hostname" and "target.asset.hostname".
2022-10-30 Enhancement, Bug-fix:
- Added a Grok pattern to parse dropped logs.
- Added a Grok pattern to map the hostname of the Squid proxy server to "intermediary.hostname".
2022-09-19 Enhancement:
- Parsed syslog of type squid.
- Mapped "insertId" to "metadata.product_log_id".
- Mapped "logName" to "target.process.file.full_path".
- Mapped "instance_id" to "additional.fields".
- Mapped "project_id" to "additional.fields".
- Mapped "zone" to "additional.fields".
- Mapped "type" to "additional.fields".
- Mapped "agent.ephemeral_id" to "additional.fields".
- Mapped "agent.hostname" to "principal.hostname".
- Mapped "agent.version" to "metadata.product_version".
- Mapped "host.mac" to "principal.mac".
- Mapped "host.ip" to "principal.ip".
- Mapped "event_action" to "security_result.action_details".
- Mapped "event_message" to "metadata.description".
- Mapped "host.architecture" to "principal.asset.hardware".
- Mapped "host.id" to "principal.asset.asset_id".
- Mapped "host.os.version" to "principal.platform_version".
- Mapped "host.os.kernel" to "principal.platform_patch_level".
- Mapped "host.os.codename" to "additional.fields".
- Mapped "syslog_severity" to "security_result.severity_details".
- Mapped "syslog_severity_code" to "security_result.severity".
- Mapped "host.os.platform" to "principal.platform".
- Mapped "log.file.path" to "target.process.file.full_path".