Change log for BEYONDTRUST_BEYONDINSIGHT
| Date | Changes |
|---|---|
| 2025-11-07 | Enhancement:
- `event.idm.read_only_udm.target.user.userid`: Newly mapped `dst_user` raw log field to `event.idm.read_only_udm.target.user.userid`. - `event.idm.read_only_udm.target.hostname`: Newly mapped `dst_host` raw log field to `event.idm.read_only_udm.target.hostname`. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `src_user` raw log field to `event.idm.read_only_udm.principal.user.userid`. - `event.idm.read_only_udm.principal.ip`: Newly mapped `src_ip` raw log field to `event.idm.read_only_udm.principal.ip`. - `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `src_ip` raw log field to `event.idm.read_only_udm.principal.asset.ip`. - `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `nvps.source` raw log field to `event.idm.read_only_udm.intermediary.hostname`. - `event.idm.read_only_udm.intermediary.asset.hostname`: Newly mapped `nvps.source` raw log field to `event.idm.read_only_udm.intermediary.asset.hostname`. - `event.idm.read_only_udm.target.application`: Newly mapped `"BeyondInsight Application GUI"` raw log field to `event.idm.read_only_udm.target.application`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `nvps.areaname`, `nvps.context`, `nvps.active`, `nvps.genericappliancehealthactive`, `nvps.beyondinsightapplicationauditactive`, `nvps_hostname`, `nvps.port`, `nvps.genericappliancehealthenabled`, `nvps.beyondinsightapplicationauditenabled`, `nvps.genericappliancehealthseverity`, `nvps.outputpipeline`, `nvps.name` raw log fields to `event.idm.read_only_udm.additional.fields`. - `event.idm.read_only_udm.intermediary.hostname`: Newly mapped `nvps.hostname` raw log field to `event.idm.read_only_udm.intermediary.hostname`. - `event.idm.read_only_udm.intermediary.asset.hostname`: Newly mapped `nvps.hostname` raw log field to `event.idm.read_only_udm.intermediary.asset.hostname`. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `sourcehost` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `shost` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `src_host` raw log field to `event.idm.read_only_udm.principal.hostname`. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `src_host` raw log field to `event.idm.read_only_udm.principal.asset.hostname`. - `event.idm.read_only_udm.extensions.auth.type`: Newly mapped `"MACHINE"` raw log field to `event.idm.read_only_udm.extensions.auth.type`. - `event.idm.read_only_udm.target.application`: Newly mapped `"BeyondInsight Appliance Management GUI"` raw log field to `event.idm.read_only_udm.target.application`. - `event.idm.read_only_udm.intermediary.asset.ip`: Newly mapped `inter_ip` raw log field to `event.idm.read_only_udm.intermediary.asset.ip`. - `event.idm.read_only_udm.principal.ip`: Removed mapping of `sourceip` from `event.idm.read_only_udm.principal.ip` as `sourceip` is a intermediary field. - `event.idm.read_only_udm.intermediary.ip`: Mapped `sourceip` raw log field to `event.idm.read_only_udm.intermediary.ip`. - `event.idm.read_only_udm.principal.asset.ip`: Removed mapping of `sourceip` from `event.idm.read_only_udm.principal.asset.ip` as `sourceip` is a intermediary field. - `event.idm.read_only_udm.intermediary.asset.ip`: Mapped `sourceip` raw log field to `event.idm.read_only_udm.intermediary.asset.ip`. - `event.idm.read_only_udm.target.hostname`: Removed mapping of `nvps.clienthost` from `event.idm.read_only_udm.target.hostname` as `nvps.clienthsot` is mapped to intermediary.hostname as it is a intermediary. - `event.idm.read_only_udm.intermediary.hostname`: Mapped `nvps.clienthost` raw log field to `event.idm.read_only_udm.intermediary.hostname`. - `event.idm.read_only_udm.target.asset.hostname`: Removed mapping of `nvps.clienthost` from `event.idm.read_only_udm.target.asset.hostname` as `nvps.clienthsot` is mapped to intermediary.asset.hostname as it is a intermediary. - `event.idm.read_only_udm.intermediary.asset.hostname`: Mapped `nvps.clienthost` raw log field to `event.idm.read_only_udm.intermediary.asset.hostname`. - `event.idm.read_only_udm.principal.hostname`: Removed mapping of `nvps.name` from `event.idm.read_only_udm.principal.hostname` as this is not the hostname. It is the name of the forwarder that has been configured. - `event.idm.read_only_udm.principal.asset.hostname`: Removed mapping of `nvps.name` from `event.idm.read_only_udm.principal.asset.hostname` as this is not the hostname. It is the name of the forwarder that has been configured. - Added grok patterns to extract `dst_user`, `dst_host`, `src_user`, `src_host`, and `src_ip` from the `eventdesc` field. - Conditionally set `event.idm.read_only_udm.metadata.event_type` to `USER_LOGIN` or `USER_LOGOUT` based on `eventdesc` content and `agentid`. - Added grok pattern to handle IP addresses within the `nvps.hostname` field, extracting to `nvps_hostname`. |
| 2025-07-23 | Enhancement:
- Added gsubs to ensure proper mapping of KV format logs. - Modified a gsub to ensure proper mapping of `OS` and `Agent Version` raw log fields. - event.idm.read_only_udm.additional.fields: Newly mapped `EventType` raw log field to `event.idm.read_only_udm.additional.fields` (with key `Event Type`). - Added a grok pattern to check if `souirceip` is a valid IP address before mapping it to `event.idm.read_only_udm.principal.ip` UDM field. |
| 2025-05-13 | Enhancement:
- Added support to handle the '#' character in the UDM Fields. - Added support for the parsing the metadata.event_type. - Added support required null checks while doing the mapping. |
| 2025-04-21 | Enhancement:
- Added a grok pattern to support new format of SYSLOG logs. - Added gsub to fix the kv parsing issue. |
| 2025-02-06 | Enhancement:
- Added support to map the unparsed fields. |
| 2024-11-22 | - Newly created parser.
|