Change log for VMWARE_VCENTER

Date Changes
2024-08-27 Enhancement:
- Added support for a new pattern of JSON logs.
2024-06-03 Enhancement:
- Added support for a new pattern of JSON logs.
2023-11-13 Enhancement:
- Added a Grok pattern to parse "url" field.
- Mapped "url" to "target.url".
- Mapped "response_details" to "target.resource.attribute.labels".
- Mapped "usr_agnt" to "network.http.user_agent".
- Mapped "ver_proto" to "network.tls.version".
2023-09-27 Enhancement:
- Modified the JSON key name using a "gsub" function from:
- "event" to "log_event".
- "host" to "host1".
- "@timestamp" to "timestamp".
- "@version" to "version".
- Added a new Grok pattern to parse the new log type SYSLOG + KV.
- Mapped "DeviceUUID" to "metadata.product_log_id".
- Mapped "InstanceId" to "target.asset_id".
- Mapped "EventPriority" to "security_result.severity".
- Mapped "AccessControlRuleAction" to "security_result_action".
- Mapped "SrcIP" to "principal.ip".
- Mapped "DstIP" to "target.ip".
- Mapped "ICMPType", "ICMPCode", "IngressInterface", "EgressInterface", "WebApplication", "DNSQuery", "DNSRecordType", "DNSResponseType", "DNS_TTL", "service.type", "log.syslog.facility.code", "log.syslog.facility.name", "log.syslog.severity.code","log.syslog.severity.name", "log.syslog.priority" to "additional.fields".
- Mapped "Protocol" to "network.ip_protocol".
- Mapped "IngressZone" to "principal.location.name".
- Mapped "EgressZone" to "target.location.name".
- Mapped "ACPolicy" to "security_result.rule_labels".
- Mapped "AccessControlRuleName" to "security_result.rule_name".
- Mapped "NAPPolicy" to "security_result.rule_labels".
- Mapped "InitiatorPackets" to "network.sent_packets".
- Mapped "ResponderPackets" to "network.received_packets".
- Mapped "InitiatorBytes" to "network.sent_bytes".
- Mapped "ResponderBytes" to "network.received_bytes".
- Mapped "FirstPacketSecond" and "ConnectionID" to "security_result.about.labels".
- Mapped "User" to "security_result.summary".
- Mapped "UserAgent" to "network.http.user_agent".
- Mapped "Client" to "target.labels".
- Mapped "ClientVersion" to "target.platform_version".
- Mapped "ReferencedHost" to "target.hostname".
- Mapped "URL" to "target.url".
- Mapped "HTTPResponse" to "network.http.response_code".
- Mapped "ApplicationProtocol" to "network.application_protocol".
- Mapped "host1.ip" to "principal.ip".
- Mapped "version" to "metadata.product_version".
- Mapped "desc" to "metadata.description".
- Mapped "http_method" to "network.http.method".
- Added Grok patterns to match the "desc".
- Mapped "principal_ip1" to "principal.ip".
- Mapped "principal_ip2" to "principal.ip".
- Mapped "target_ip1" to "target.ip".
- Mapped "target_ip2" to "target.ip".
- Mapped "principal_port" to "principal.port".
- Mapped "target_port" to "target.port".
- Set "metadata.event_type" to "NETWORK_HTTP" when "principal" and "target" are present and "application_protocol" is "HTTP".
- Set "metadata.event_type" to "NETWORK_CONNECTION" when "principal", "target", "application_protocol", and "ip_protocol" are present".
2023-02-08 Enhancement - Parsed the logs containing "eventid", "Rhttproxy" by adding/modifying some grok patterns.
- Mapped "Account Domain" to "principal.administrative_domain".
- Mapped "Client Address" to "principal.ip".
- Mapped "Client port" to "principal.port".
- Mapped "Source port" to "principal.port".
- Mapped "Source Network Address" to "principal.ip".
- Mapped "providername" to "principal.application".
- Mapped "Access Mask" to "principal.process.access_mask".
- Mapped "Logon Account" to "principal.user.userid".
- Mapped "User ID" to "target.user.windows_sid".
- Mapped "Account Name" to "target.user.userid".
- Mapped "Security ID" to "target.user.windows_sid".
- Mapped "Authentication Package" to "security_result.about.resource.name".
- Mapped "Relative Target Name" to "target.file.full_path".
- Mapped "Share Name" to "target.resource.name".
- Mapped "Logon Type" to "extensions.auth.mechanism".
- Mapped "eventid" to "metadata.product_event_type".
2023-01-12 Enhancement -
- Added support to parser logs by adding following mappings.
- Mapped "insertId" to "metadata.product_log_id".
- Mapped "labels.log_type" to "metadata.product_event_type".
- Mapped "labels.net.host.ip" to "principal.ip".
- Mapped "labels.net.host.port" to "principal.port".
- Mapped "labels.net.peer.ip" to "target.ip".
- Mapped "labels.net.peer.port" to "target.port".
- Mapped "labels.net.peer.port" to "target.port".
- Mapped "labels.net.transport" to "network.ip_protocol".
- Mapped "logName" to "security_result.category_details".
- Mapped "@fields.host" to "principal.hostname".
- Mapped "@fields.facility" to "principal.resource.type".
- Mapped "@fields.company_name" to "principal.user.company_name".
- Mapped "@fields.privatecloud_id" to "principal.cloud.project.id".
- Mapped "@fields.privatecloud_name" to "principal.cloud.project.name".
- Mapped "@fields.procid" to "principal.process.pid".
- Mapped "@fields.region_id" to "principal.location.country_or_region".
- Mapped "@version" to "principal.platform_version".
- Mapped "basedn_group_iden" to "target.user.group_identifiers".
- Mapped "cipher" to "network.tls.cipher".
- Mapped "version" to "network.tls.version".
- Mapped "msgid" to "network.email.mail_id".
- Mapped "verify" to "security_result.description".
- Mapped "size" to "network.sent_bytes".
- Mapped "stat" to "security_result.summary".
- Mapped "from" to "network.email.from".
- Mapped "to" to "network.email.to".
- Mapped "get_error" to "intermediary.labels".
- Mapped "relay_ip" to "intermediary.ip".
- Mapped "relay_domain" to "intermediary.hostname".
- Mapped "ssh_proto" to "network.application_protocol".
- Mapped "cmd" to "target.process.command_line".
- Mapped "user_id" to "principal.user.userid".
- Mapped "user_agent" to "network.http.user_agent".
- Mapped "file_path" to "target.process.file.full_path".
- Mapped "server_name" to "target.hostname".
- Mapped "target_userid" to "target.user.userid".
- Mapped "ip" to "target.ip".
- Mapped "level" to "security_result.severity".
- Mapped "resource.type" to "src.labels".
- Mapped "upn_name" to "intermediary.url".
- Added drop tags for logs being dropped.
2022-05-06 Moved customer specific parser to default.
Syslog format logs are handled.
Added and modified multiple fields to increase log parsing percentage:
network.http.response_code, file.full_path, network.sent_bytes, http.method,
application_protocol, severity, port,process.pid,command_line, event_type.