Change log for AIX_SYSTEM
| Date | Changes |
|---|---|
| 2026-01-04 | Enhancement:
- Added new grok patterns to `description` field to parse new formats of syslog logs. - event.idm.read_only_udm.security_result.about.file.full_path: Newly mapped `library_path` raw log field to `event.idm.read_only_udm.security_result.about.file.full_path` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `template_id` raw log field to `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `error_code1`, `error_code2`, `ffdc_info`, `location` raw log fields to `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `sap_instance_id` raw log field to `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. |
| 2025-12-11 | Enhancement:
- Added new grok patterns to parse new formats of syslog logs. - event.idm.read_only_udm.security_result.description: Newly mapped "sec_result_description" raw log field with "event.idm.read_only_udm.security_result.description" UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly mapped "user_agent" raw log field with "event.idm.read_only_udm.network.http.user_agent" UDM field. - event.idm.read_only_udm.security_result.severity: If "severity" is warn, then mapped "event.idm.read_only_udm.security_result.severity" to "MEDIUM". - Added new grok patterns to parse new formats of field "description". |
| 2025-12-10 | Enhancement:
- Enhanced grok patterns to parse new log formats. - event.idm.read_only_udm.metadata.description: Newly mapped `description` raw log field to `event.idm.read_only_udm.metadata.description` UDM field. |
| 2025-11-20 | Enhancement:
- Enhanced grok patterns to parse new log formats. - Added conditional mapping to set `event.idm.read_only_udm.security_result.action` to `FAIL` when the raw action field is "fail" or "failed". - `event.idm.read_only_udm.principal.process.file.names`: Newly mapped `process_name` raw log field to `event.idm.read_only_udm.principal.process.file.names` UDM field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `target_hostname` raw log field to `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.target.asset.hostname`: Newly mapped `target_hostname` raw log field to `event.idm.read_only_udm.target.asset.hostname` UDM field. - `event.idm.read_only_udm.security_result.summary`: Newly mapped `Error_Type` raw log field to `event.idm.read_only_udm.security_result.summary` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `sendmail_queue_id` raw log field to `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `ini_parameter`, `ini_section`, `backup_ini_file`, `return_code`, `instance_name`, `node_number`, `edu_id`, `edu_name_base`, `edu_db`, `edu_num`, `thread_id`, `db_name`, `probe_number`, `product_name`, `component_name`, `function_name`, `called_product`, `called_component` and `called_function` raw log fields to `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-08-28 | Enhancement:
- Added a GROK pattern to retrieve prod_type, path, user_id, command_line, process_type, username, and tty. - event.idm.read_only_udm.target.file.full_path: Newly mapped path raw log field(s) with event.idm.read_only_udm.target.file.full_path UDM field. - event.idm.read_only_udm.target.resource.name: Newly mapped process_type raw log field(s) with event.idm.read_only_udm.target.resource.name UDM field. - Consolidated all mapping for event.idm.read_only_udm.additional.fields, event.idm.read_only_udm.principal.resource.attribute.labels, and event.idm.read_only_udm.target.resource.attribute.labels. |
| 2025-08-11 | Enhancement:
- Added a grok pattern to parse `user_id` field. - event.idm.read_only_udm.target.user.userid: Newly mapped 'user_id' raw log field with 'event.idm.read_only_udm.target.user.userid' UDM field. - event.idm.read_only_udm.metadata.event_type: If `has_prinicpal` is true and `has_target_user` is true, updated to USER_LOGIN. - event.idm.read_only_udm.metadata.event_type: If `has_prinicpal` is true and `has_target` is true, updated to NETWORK_CONNECTION. |
| 2025-07-10 | Enhancement:
- Added a Grok pattern to parse new format of logs. - Added a gsub function to parse new format of logs. -'event.idm.read_only_udm.security_result.action': Newly mapped 'action' raw log field with 'event.idm.read_only_udm.security_result.action' UDM field. -'event.idm.read_only_udm.metadata.event_timestamp': Newly mapped 'date' and 'time' raw log field with 'event.idm.read_only_udm.metadata.event_timestamp' UDM field. -'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname': Newly mapped 'devname' raw log field with 'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname' UDM field. -'event.idm.read_only_udm.principal.asset.hardware.serial_number': Newly mapped '_hardware' raw log field with 'event.idm.read_only_udm.principal.asset.hardware.serial_number' UDM field. -'event.idm.read_only_udm.metadata.product_event_type': Newly mapped 'type' raw log field with 'event.idm.read_only_udm.metadata.product_event_type' UDM field. -'event.idm.read_only_udm.additional.fields': Newly mapped 'subtype', 'eventtime', 'poluuid', 'dstdevtype', 'dstfamily', 'trandisp', 'appcat', 'vpntype', 'sentdelta' and 'rcvddelta' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field. -'event.idm.read_only_udm.security_result.severity' and 'event.idm.read_only_udm.security_result.severity_details': Newly mapped 'level' raw log field with 'event.idm.read_only_udm.security_result.severity' and 'event.idm.read_only_udm.security_result.severity_details' UDM field. -'event.idm.read_only_udm.metadata.product_log_id': Newly mapped 'logid' raw log field with 'event.idm.read_only_udm.metadata.product_log_id' UDM field. -'event.idm.read_only_udm.principal.administrative_domain': Newly mapped 'vd' raw log field with 'event.idm.read_only_udm.principal.administrative_domain' UDM field. -'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip': Newly mapped 'srcip' raw log field with 'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip' UDM field. -'event.idm.read_only_udm.principal.port': Newly mapped 'srcport' raw log field with 'event.idm.read_only_udm.principal.port' UDM field. -'event.idm.read_only_udm.target.port': Newly mapped 'dstport' raw log field with 'event.idm.read_only_udm.target.port' UDM field. -'event.idm.read_only_udm.target.ip' and 'event.idm.read_only_udm.target.asset.ip': Newly mapped 'dstip' raw log field with 'event.idm.read_only_udm.target.ip' and 'event.idm.read_only_udm.target.asset.ip' UDM field. -'event.idm.read_only_udm.principal.hostname' and 'event.idm.read_only_udm.principal.asset.hostname': Newly mapped 'srcname' raw log field with 'event.idm.read_only_udm.principal.hostname' and 'event.idm.read_only_udm.principal.asset.hostname' UDM field. -'event.idm.read_only_udm.principal.user.userid': Newly mapped 'unauthuser' raw log field with 'event.idm.read_only_udm.principal.user.userid' UDM field. -'event.idm.read_only_udm.principal.resource.attribute.labels': Newly mapped 'unauthusersource', 'srcserver', 'srcintfrole' and 'srcintf' raw log field with 'event.idm.read_only_udm.principal.resource.attribute.labels' UDM field. -'event.idm.read_only_udm.target.resource.attribute.labels': Newly mapped 'dstserver', 'dstintfrole' and 'dstintf' raw log field with 'event.idm.read_only_udm.target.resource.attribute.labels' UDM field. -'event.idm.read_only_udm.principal.mac' and 'event.idm.read_only_udm.principal.asset.mac': Newly mapped 'srcmac' raw log field with 'event.idm.read_only_udm.principal.mac' and 'event.idm.read_only_udm.principal.asset.mac' UDM field. -'event.idm.read_only_udm.target.mac' and 'event.idm.read_only_udm.target.asset.mac': Newly mapped 'dstmac' raw log field with 'event.idm.read_only_udm.target.mac' and 'event.idm.read_only_udm.target.asset.mac' UDM field. -'event.idm.read_only_udm.principal.mac' and 'event.idm.read_only_udm.principal.asset.mac': Newly mapped 'mastersrcmac' raw log field with 'event.idm.read_only_udm.principal.mac' and 'event.idm.read_only_udm.principal.asset.mac' UDM field. -'event.idm.read_only_udm.target.mac' and 'event.idm.read_only_udm.target.asset.mac': Newly mapped 'masterdstmac' raw log field with 'event.idm.read_only_udm.target.mac' and 'event.idm.read_only_udm.target.asset.mac' UDM field. -'event.idm.read_only_udm.principal.location.country_or_region' and 'event.idm.read_only_udm.security_result.detection_fields': Newly mapped 'srccountry' raw log field with 'event.idm.read_only_udm.security_result.detection_fields' if 'srccountry' is equal to 'Reserved' else 'event.idm.principal.location.country_or_region' UDM field. -'event.idm.read_only_udm.target.location.country_or_region' and 'event.idm.read_only_udm.security_result.detection_fields': Newly mapped 'dstcountry' raw log field with 'event.idm.read_only_udm.security_result.detection_fields' if 'dstcountry' is equal to 'Reserved' else 'event.idm.target.location.country_or_region' UDM field. -'event.idm.read_only_udm.network.session_id': Newly mapped 'sessionid' raw log field with 'event.idm.read_only_udm.network.session_id' UDM field. -'event.idm.read_only_udm.network.ip_protocol': Newly mapped 'proto' raw log field with 'event.idm.read_only_udm.network.ip_protocol' UDM field. -'event.idm.read_only_udm.security_result.rule_id': Newly mapped 'policyid' raw log field with 'event.idm.read_only_udm.security_result.rule_id' UDM field. -'event.idm.read_only_udm.security_result.rule_name': Newly mapped 'policyname' raw log field with 'event.idm.read_only_udm.security_result.rule_name' UDM field. -'event.idm.read_only_udm.security_result.rule_type': Newly mapped 'policytype' raw log field with 'event.idm.read_only_udm.security_result.rule_type' UDM field. -'event.idm.read_only_udm.network.application_protocol' and 'event.idm.read_only_udm.target.application': Newly mapped 'service' raw log field with 'event.idm.read_only_udm.network.application_protocol' if 'service' is the 'protocol name' else 'event.idm.read_only_udm.target.application' UDM field. -'event.idm.read_only_udm.network.session_duration': Newly mapped 'duration' raw log field with 'event.idm.read_only_udm.network.session_duration' UDM field. -'event.idm.read_only_udm.target.resource.attribute.labels': Newly mapped 'dsthwvendor' raw log field with 'event.idm.read_only_udm.target.resource.attribute.labels' UDM field. -'event.idm.read_only_udm.network.sent_bytes': Newly mapped 'sentbyte' raw log field with 'event.idm.read_only_udm.network.sent_bytes' UDM field. -'event.idm.read_only_udm.network.received_bytes': Newly mapped 'rcvdbyte' raw log field with 'event.idm.read_only_udm.network.received_bytes' UDM field. -'event.idm.read_only_udm.network.sent_packets': Newly mapped 'sentpkt' raw log field with 'event.idm.read_only_udm.network.sent_packets' UDM field. -'event.idm.read_only_udm.network.received_packets': Newly mapped 'rcvdpkt' raw log field with 'event.idm.read_only_udm.network.received_packets' UDM field. -'event.idm.read_only_udm.principal.platform': Newly mapped 'osname' raw log field with 'event.idm.read_only_udm.principal.platform' UDM field. -'event.idm.read_only_udm.target.platform': Newly mapped 'dstosname' raw log field with 'event.idm.read_only_udm.target.platform' UDM field. -'event.idm.read_only_udm.principal.platform_version': Newly mapped 'srcswversion' raw log field with 'event.idm.read_only_udm.principal.platform_version' UDM field. -'event.idm.read_only_udm.target.platform_version': Newly mapped 'dstswversion' raw log field with 'event.idm.read_only_udm.target.platform_version' UDM field. -'event.idm.read_only_udm.security.rule_version': Newly mapped 'dsthwversion' raw log field with 'event.idm.read_only_udm.security.rule_version' UDM field. -'event.idm.read_only_udm.target.ip' and 'event.idm.read_only_udm.target.asset.ip': Newly mapped 'remip' raw log field with 'event.idm.read_only_udm.target.ip' and 'event.idm.read_only_udm.target.asset.ip' UDM field. -'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip': Newly mapped 'locip' raw log field with 'event.idm.read_only_udm.principal.ip' and 'event.idm.read_only_udm.principal.asset.ip' UDM field. -'event.idm.read_only_udm.target.port': Newly mapped 'remport' raw log field with 'event.idm.read_only_udm.target.port' UDM field. -'event.idm.read_only_udm.principal.port': Newly mapped 'locport' raw log field with 'event.idm.read_only_udm.principal.port' UDM field. -'event.idm.read_only_udm.metadata.description': Newly mapped 'msg' raw log field with 'event.idm.read_only_udm.metadata.description' UDM field. -'event.idm.read_only_udm.security_result.summary': Newly mapped 'logdesc' raw log field with 'event.idm.read_only_udm.security_result.summary' UDM field. -'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname': Newly mapped 'dst_host' raw log field with 'event.idm.read_only_udm.target.hostname' and 'event.idm.read_only_udm.target.asset.hostname' UDM field. - Added 'on_error' handling to KV filters to improve parser robustness. |
| 2025-05-12 | Enhancement:
- Added grok patterns inorder to support new format of logs. |
| 2025-02-16 | Enhancement:
- Added support for SYSLOG logs. |
| 2024-10-09 | Bug-Fix:
- Added support for "RFC3339" format timestamp. |
| 2024-08-29 | Enhancement:
- Added a Grok pattern to parse new log type. - Mapped "dis_name" to "principal.group.group_display_name". - Mapped "action" to "security_result.action_details". |
| 2024-04-30 | Enhancement:
- Enhanced parser to support new log format. |
| 2023-06-21 | - Newly created parser.
|