Change log for DELL_ECS

Date	Changes
2026-01-12	- Added grok pattern to support new format of logs. - "event.idm.read_only_udm.principal.process.file.full_path": Newly mapped "process_name" raw log field. - "event.idm.read_only_udm.principal.process.pid": Newly mapped "pid" raw log field. - "event.idm.read_only_udm.metadata.description": Newly mapped "msg_description" raw log field. - "event.idm.read_only_udm.security_result.severity": Newly mapped "severity" raw log field. - "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "Category", "Component", "TimeZone" raw log fields. - "event.idm.read_only_udm.metadata.event_timestamp": Added support for "event.idm.read_only_udm.metadata.event_timestamp" from "timestamp" (UNIX format) to "event_time" (yyyy-MM-ddTHH:mm:ssZZ, ISO8601 formats), and added "timestamp" (MMM dd HH:mm:ss format) as an alternative source. - "event.idm.read_only_udm.metadata.event_type": If "event.idm.read_only_udm.metadata.event_type" is "GENERIC_EVENT" and "principal_present" is not "false", updated to "STATUS_UPDATE". - Introduced an initial "mutate" block to clear certain fields ("process_name", "pid", "serviceType", "event_type", "msg", "msg_description", "kv_data", "severity", "security_result", "Category", "Component", "TimeZone", "principal_present") before processing. - Added "overwrite" option to "grok" filters to explicitly manage field overwrites. - Introduced a "principal_present" flag which is set to "true" when "event.idm.read_only_udm.principal.hostname" is populated.
2024-03-18	- Newly created parser.

Date

Changes

2026-01-12

- Added grok pattern to support new format of logs.
- "event.idm.read_only_udm.principal.process.file.full_path": Newly mapped "process_name" raw log field.
- "event.idm.read_only_udm.principal.process.pid": Newly mapped "pid" raw log field.
- "event.idm.read_only_udm.metadata.description": Newly mapped "msg_description" raw log field.
- "event.idm.read_only_udm.security_result.severity": Newly mapped "severity" raw log field.
- "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "Category", "Component", "TimeZone" raw log fields.
- "event.idm.read_only_udm.metadata.event_timestamp": Added support for "event.idm.read_only_udm.metadata.event_timestamp" from "timestamp" (UNIX format) to "event_time" (yyyy-MM-ddTHH:mm:ssZZ, ISO8601 formats), and added "timestamp" (MMM dd HH:mm:ss format) as an alternative source.
- "event.idm.read_only_udm.metadata.event_type": If "event.idm.read_only_udm.metadata.event_type" is "GENERIC_EVENT" and "principal_present" is not "false", updated to "STATUS_UPDATE".
- Introduced an initial "mutate" block to clear certain fields ("process_name", "pid", "serviceType", "event_type", "msg", "msg_description", "kv_data", "severity", "security_result", "Category", "Component", "TimeZone", "principal_present") before processing.
- Added "overwrite" option to "grok" filters to explicitly manage field overwrites.
- Introduced a "principal_present" flag which is set to "true" when "event.idm.read_only_udm.principal.hostname" is populated.

2024-03-18

- Newly created parser.