Change log for VMWARE_VCENTER
Date | Changes |
---|---|
2024-08-27 | Enhancement:
- Added support for a new pattern of JSON logs. |
2024-06-03 | Enhancement:
- Added support for a new pattern of JSON logs. |
2023-11-13 | Enhancement:
- Added a Grok pattern to parse "url" field. - Mapped "url" to "target.url". - Mapped "response_details" to "target.resource.attribute.labels". - Mapped "usr_agnt" to "network.http.user_agent". - Mapped "ver_proto" to "network.tls.version". |
2023-09-27 | Enhancement:
- Modified the JSON key name using a "gsub" function from: - "event" to "log_event". - "host" to "host1". - "@timestamp" to "timestamp". - "@version" to "version". - Added a new Grok pattern to parse the new log type SYSLOG + KV. - Mapped "DeviceUUID" to "metadata.product_log_id". - Mapped "InstanceId" to "target.asset_id". - Mapped "EventPriority" to "security_result.severity". - Mapped "AccessControlRuleAction" to "security_result_action". - Mapped "SrcIP" to "principal.ip". - Mapped "DstIP" to "target.ip". - Mapped "ICMPType", "ICMPCode", "IngressInterface", "EgressInterface", "WebApplication", "DNSQuery", "DNSRecordType", "DNSResponseType", "DNS_TTL", "service.type", "log.syslog.facility.code", "log.syslog.facility.name", "log.syslog.severity.code","log.syslog.severity.name", "log.syslog.priority" to "additional.fields". - Mapped "Protocol" to "network.ip_protocol". - Mapped "IngressZone" to "principal.location.name". - Mapped "EgressZone" to "target.location.name". - Mapped "ACPolicy" to "security_result.rule_labels". - Mapped "AccessControlRuleName" to "security_result.rule_name". - Mapped "NAPPolicy" to "security_result.rule_labels". - Mapped "InitiatorPackets" to "network.sent_packets". - Mapped "ResponderPackets" to "network.received_packets". - Mapped "InitiatorBytes" to "network.sent_bytes". - Mapped "ResponderBytes" to "network.received_bytes". - Mapped "FirstPacketSecond" and "ConnectionID" to "security_result.about.labels". - Mapped "User" to "security_result.summary". - Mapped "UserAgent" to "network.http.user_agent". - Mapped "Client" to "target.labels". - Mapped "ClientVersion" to "target.platform_version". - Mapped "ReferencedHost" to "target.hostname". - Mapped "URL" to "target.url". - Mapped "HTTPResponse" to "network.http.response_code". - Mapped "ApplicationProtocol" to "network.application_protocol". - Mapped "host1.ip" to "principal.ip". - Mapped "version" to "metadata.product_version". - Mapped "desc" to "metadata.description". - Mapped "http_method" to "network.http.method". - Added Grok patterns to match the "desc". - Mapped "principal_ip1" to "principal.ip". - Mapped "principal_ip2" to "principal.ip". - Mapped "target_ip1" to "target.ip". - Mapped "target_ip2" to "target.ip". - Mapped "principal_port" to "principal.port". - Mapped "target_port" to "target.port". - Set "metadata.event_type" to "NETWORK_HTTP" when "principal" and "target" are present and "application_protocol" is "HTTP". - Set "metadata.event_type" to "NETWORK_CONNECTION" when "principal", "target", "application_protocol", and "ip_protocol" are present". |
2023-02-08 | Enhancement - Parsed the logs containing "eventid", "Rhttproxy" by adding/modifying some grok patterns.
- Mapped "Account Domain" to "principal.administrative_domain". - Mapped "Client Address" to "principal.ip". - Mapped "Client port" to "principal.port". - Mapped "Source port" to "principal.port". - Mapped "Source Network Address" to "principal.ip". - Mapped "providername" to "principal.application". - Mapped "Access Mask" to "principal.process.access_mask". - Mapped "Logon Account" to "principal.user.userid". - Mapped "User ID" to "target.user.windows_sid". - Mapped "Account Name" to "target.user.userid". - Mapped "Security ID" to "target.user.windows_sid". - Mapped "Authentication Package" to "security_result.about.resource.name". - Mapped "Relative Target Name" to "target.file.full_path". - Mapped "Share Name" to "target.resource.name". - Mapped "Logon Type" to "extensions.auth.mechanism". - Mapped "eventid" to "metadata.product_event_type". |
2023-01-12 | Enhancement -
- Added support to parser logs by adding following mappings. - Mapped "insertId" to "metadata.product_log_id". - Mapped "labels.log_type" to "metadata.product_event_type". - Mapped "labels.net.host.ip" to "principal.ip". - Mapped "labels.net.host.port" to "principal.port". - Mapped "labels.net.peer.ip" to "target.ip". - Mapped "labels.net.peer.port" to "target.port". - Mapped "labels.net.peer.port" to "target.port". - Mapped "labels.net.transport" to "network.ip_protocol". - Mapped "logName" to "security_result.category_details". - Mapped "@fields.host" to "principal.hostname". - Mapped "@fields.facility" to "principal.resource.type". - Mapped "@fields.company_name" to "principal.user.company_name". - Mapped "@fields.privatecloud_id" to "principal.cloud.project.id". - Mapped "@fields.privatecloud_name" to "principal.cloud.project.name". - Mapped "@fields.procid" to "principal.process.pid". - Mapped "@fields.region_id" to "principal.location.country_or_region". - Mapped "@version" to "principal.platform_version". - Mapped "basedn_group_iden" to "target.user.group_identifiers". - Mapped "cipher" to "network.tls.cipher". - Mapped "version" to "network.tls.version". - Mapped "msgid" to "network.email.mail_id". - Mapped "verify" to "security_result.description". - Mapped "size" to "network.sent_bytes". - Mapped "stat" to "security_result.summary". - Mapped "from" to "network.email.from". - Mapped "to" to "network.email.to". - Mapped "get_error" to "intermediary.labels". - Mapped "relay_ip" to "intermediary.ip". - Mapped "relay_domain" to "intermediary.hostname". - Mapped "ssh_proto" to "network.application_protocol". - Mapped "cmd" to "target.process.command_line". - Mapped "user_id" to "principal.user.userid". - Mapped "user_agent" to "network.http.user_agent". - Mapped "file_path" to "target.process.file.full_path". - Mapped "server_name" to "target.hostname". - Mapped "target_userid" to "target.user.userid". - Mapped "ip" to "target.ip". - Mapped "level" to "security_result.severity". - Mapped "resource.type" to "src.labels". - Mapped "upn_name" to "intermediary.url". - Added drop tags for logs being dropped. |
2022-05-06 | Moved customer specific parser to default.
Syslog format logs are handled. Added and modified multiple fields to increase log parsing percentage: network.http.response_code, file.full_path, network.sent_bytes, http.method, application_protocol, severity, port,process.pid,command_line, event_type. |