Change log for VANDYKE_SFTP
| Date | Changes |
|---|---|
| 2025-05-15 | Enhancement:
- event.idm.read_only_udm.metadata.event_type: Removed mapping of `STATUS_UPDATE` from `event.idm.read_only_udm.metadata.event_type` UDM field and mapped to `USER_LOGIN` if it is a login event. - event.idm.read_only_udm.metadata.event_type: Removed mapping of `STATUS_UPDATE` from `event.idm.read_only_udm.metadata.event_type` UDM field and mapped to `USER_LOGOUT` if it is a logout event. - Added Grok patterns to support new pattern of logs. - event.idm.read_only_udm.principal.user.userid: Removed mapping of `user_id` from `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.target.user.userid: Newly mapped `username` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Removed mapping of `username` from `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.target.user.user_display_name: Mapped `username` raw log field with `event.idm.read_only_udm.target.user.user_display_name` UDM field. - event.idm.read_only_udm.security_result.action: Newly mapped `ALLOW` with `event.idm.read_only_udm.security_result.action` if it is a successful login event. - event.idm.read_only_udm.security_result.action: Newly mapped `BLOCK` with `event.idm.read_only_udm.security_result.action` if it is a failed login event. - event.idm.read_only_udm.additional.fields: Newly mapped `id` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-05-13 | Enhancement:
- Added `gsub` filters to remove carriage returns (\r\n) and newlines (\n) from the `message` field. - Modified the grok pattern for the `port` field from %{DATA:port} to %{INT:port} to ensure the port is parsed as an integer. |
| 2025-03-13 | Enhancement:
- Added a Grok pattern to extract "prinicipal.user.userid". - Mapped "reason" to "security_result.summary". - Mapped "srcip" to "principal.ip" and "principal.asset.ip". - Mapped "username" to "principal.user.user_display_name". |
| 2025-02-11 | Enhancement:
- Added a Grok pattern for new syslog format. |
| 2022-03-25 | - Newly created parser.
- Supports JSON + SYSLOG format. |