Change log for HADOOP
| Date | Changes |
|---|---|
| 2026-02-23 | Enhancement
- `event.idm.read_only_udm.metadata.collected_timestamp`: Newly mapped `collection_time_details` raw log field to `event.idm.read_only_udm.metadata.collected_timestamp` UDM field. - `event.idm.read_only_udm.principal.asset.network_domain`: Newly mapped `principal_network_domain` raw log field to `event.idm.read_only_udm.principal.asset.network_domain` UDM field. - `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `timestamp_details` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. - `event.idm.read_only_udm.target.hostname`,`event.idm.read_only_udm.target.asset.hostname`: Added null and empty conditional check before mapping `event.idm.read_only_udm.target.hostname` and `event.idm.read_only_udm.target.asset.hostname` as null is not a valid hostname. - `event.idm.read_only_udm.metadata.new_event`: Updated the `event.idm.read_only_udm.metadata.new_event` from `NETWORK_CONNECTION` to `STATUS_UPDATE` when no target device details are found. - `event.idm.read_only_udm.metadata.description`: Added a grok pattern to correctly extract raw log fields and map them to the appropriate UDM fields; previously, these were being incorrectly parsed into the `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.metadata.product_name`: Added a grok pattern to correctly extract raw log fields and map them to the appropriate UDM field; previously, these were being incorrectly parsed into the `event.idm.read_only_udm.metadata.product_name` UDM field. - Added a new grok pattern for the raw log field `ugi` to extract principal_network_domain. - Added a new grok pattern to handle the new format of syslog+kv logs, this is allowing the following UDM fields to be mapped correctly: - `event.idm.read_only_udm.principal.ip` - `event.idm.read_only_udm.principal.asset.ip` - `event.idm.read_only_udm.principal.process.command_line` - `event.idm.read_only_udm.security_result.action` - `event.idm.read_only_udm.security_result.severity` - `event.idm.read_only_udm.src.file.full_path - `event.idm.read_only_udm.metadata.product_event_type` - `event.idm.read_only_udm.observer.ip` - `event.idm.read_only_udm.additional.fields` - `event.idm.read_only_udm.principal.user.userid` |
| 2023-06-05 | Enhancement - Added new Grok pattern to parse new syslog format logs.
- Changed "event_type" from "GENERIC_EVENT" to "NETWORK_CONNECTION" when both "principal" and "target" fields are present, otherwise set it to "STATUS_UPDATE". - Mapped "ugi" to "target.ip". - Mapped "tip" to "target.hostname". - Mapped "cmd" to "principal.process.command_line". - Mapped the "hostname" and IP address already mapped to "observer.hostname and observer.ip" to "principal.hostname" and "principal.ip" as well to meet validation requirements. |
| 2022-05-25 | Mapped IP to observer.ip.
|