Change log for IBM_DATAPOWER
| Date | Changes |
|---|---|
| 2026-01-22 | Enhancement:
- Updated the grok pattern to parse "responcecode" from the summary, which impacts the mapping to "event.idm.read_only_udm.network.http.response_code". - Updated the grok patterns to parse "trans_type" raw log field. - Added the grok pattern to parse "target_url" from the "target_url", which impacts the mapping to "event.idm.read_only_udm.target.url". - "event.idm.read_only_udm.additional.fields": Newly mapped "transaction_type" raw log fields with "event.idm.read_only_udm.additional.fields" UDM field. - "event.idm.read_only_udm.security_result.description": Newly mapped "errorMessage" raw log fields with "event.idm.read_only_udm.security_result.description" UDM field. - "event.idm.read_only_udm.security_result.detection_fields": Newly mapped "errorCode", "errorSuggestion" raw log fields with "event.idm.read_only_udm.security_result.detection_fields" UDM field. |
| 2026-01-05 | Enhancement:
- Added new grok patterns to support additional log message formats. |
| 2025-12-25 | Enhancement:
- "event.idm.read_only_udm.additional.fields": Newly mapped "event_label", "event_type_id" fields with "event.idm.read_only_udm.additional.fields" UDM field. - "event.idm.read_only_udm.additional.fields": Newly mapped "trans_type" field with "event.idm.read_only_udm.additional.fields" UDM field. - "event.idm.read_only_udm.principal.hostname": Newly mapped "attributes.chronicle_ingestion_label.agent" raw log field with "event.idm.read_only_udm.principal.hostname" UDM field. - "event.idm.read_only_udm.principal.resource.attribute.labels": Newly mapped "attributes.chronicle_ingestion_label.ucname" raw log field with "event.idm.read_only_udm.principal.resource.attribute.labels" UDM field. - "event.idm.read_only_udm.principal.namespace": Newly mapped "attributes.chronicle_namespace" raw log field with "event.idm.read_only_udm.principal.namespace" UDM field. - "event.idm.read_only_udm.metadata.product_log_id": Newly mapped "attributes.log.record.uid" raw log field with "event.idm.read_only_udm.metadata.product_log_id" UDM field. - "event.idm.read_only_udm.principal.cloud.project.parent": Newly mapped "resource_attributes.cloud.resource_id" raw log field with "event.idm.read_only_udm.principal.cloud.project.parent" UDM field. - "event.idm.read_only_udm.principal.cloud.project.id": Newly mapped "resource_attributes.gcp.label.project_id" raw log field with "event.idm.read_only_udm.principal.cloud.project.id" UDM field. - "event.idm.read_only_udm.principal.cloud.project.name": Newly mapped "resource_attributes.gcp.project" raw log field with "event.idm.read_only_udm.principal.cloud.project.name" UDM field. - "event.idm.read_only_udm.principal.cloud.project.resource_subtype": Newly mapped "resource_attributes.gcp.resource_type" raw log field with "event.idm.read_only_udm.principal.cloud.project.resource_subtype" UDM field. - "event.idm.read_only_udm.target.application": Newly mapped "target_application" field with "event.idm.read_only_udm.target.application" UDM field. |
| 2025-12-04 | Enhancement:
- event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Newly mapped `prin_ip` (from log.source.address) raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.principal.port: Newly mapped `prin_port` (from log.source.address) raw log field with `event.idm.read_only_udm.principal.port` UDM field. - event.idm.read_only_udm.principal.hostname and event.idm.read_only_udm.principal.asset.hostname: Newly mapped `agent.hostname` raw log field with `event.idm.read_only_udm.principal.hostname` and `event.idm.read_only_udm.principal.asset.hostname` UDM field. - event.idm.read_only_udm.principal.application: Newly mapped `agent.type` raw log field with `event.idm.read_only_udm.principal.application` UDM field. - event.idm.read_only_udm.metadata.product_version: Newly mapped `agent.version` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `agent.name` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.user.product_object_id: Newly mapped `agent.id` raw log field with `event.idm.read_only_udm.principal.user.product_object_id` UDM field. - event.idm.read_only_udm.network.http.response_code: Newly mapped `responcecode` (from summary) raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `prin_user_id` (from summary) raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `useragent` (from summary) raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.network.http.parsed_user_agent: Newly mapped `useragent` (from summary) raw log field with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - event.idm.read_only_udm.target.port: Newly mapped `target_port` (from summary) raw log field with `event.idm.read_only_udm.target.port` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `ecs.version`, `fields.fb_bu`, `fields.fb_collector`, `fields.fb_sourcename`, `agent.ephemeral_id`, `sftp_poller`, `mpgw`, `gtid`, `version`, `host.name`, `input.type`, `tags` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.metadata.event_type: If summary contains "logged in" AND has_target is "true", updated to USER_LOGIN. - event.idm.read_only_udm.metadata.event_type: If summary contains "failed to log in" AND has_target is "true", updated to USER_LOGIN. - event.idm.read_only_udm.metadata.event_type: If has_target is "true" AND has_principal is "true", updated to NETWORK_CONNECTION. - event.idm.read_only_udm.metadata.event_type: Condition for STATUS_UPDATE changed from specific field checks to if has_principal is "true". |
| 2025-06-26 | Enhancement:
- `event.idm.read_only_udm.metadata.event_timestamp`: Newly mapped `ts` raw log field with `event.idm.read_only_udm.metadata.event_timestamp`. |
| 2024-06-18 | Enhancement:
- Added new Grok patterns to parse the new type of unparsed logs. - Mapped "target_host" to "target.hostname". - Mapped "prin_ip" to "principal.ip". - Mapped "prin_port" to "principal.port". - Mapped "prod_event_type" to "metadata.product_event_type". |
| 2023-11-09 | Enhancement:
- Added new Grok patterns to parse the new type of unparsed logs. - Added new Grok patterns to parse "summary" from the log. - Mapped "principal_host" to "principal.hostname". - Changed the mapping of "user_id" from "principal.user.userid" to "target.user.userid". - For successful login events, "event_type" is mapped to "USER_LOGIN" and "security_result.action" to "ALLOW". - For failed login events, "event_type" is mapped to "USER_LOGIN" and "security_result.action" to "BLOCK". |
| 2023-10-18 | Enhancement:
- Added a Grok pattern to parse the unparsed failed user login logs. - Added a Grok pattern to parse the fields "ip" and "user_id" from the logs. - Mapped "user_id" to "principal.user.userid". - If a log contains the value "failed to log in" in the description: Set "metadata.event_type" to "USER_UNCATEGORIZED". Set "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED". |
| 2022-12-26 | Enhancement:
- Added GROK pattern to parse the unparsed SYSLOG logs. - If log contains the Logged out and Logged fields, then "metadata.event_type" is set to either "USER_LOGOUT" or "USER_LOGIN". |
| 2022-06-30 | Enhancement:
- Added a Grok pattern for retrieving "src_ip". |
| 2022-06-10 | Enhancement - The newly ingested SYSLOG format logs have been handled and parsed..
- If Log contains any response code value such as 200, 201,203 are mapped to 'network.http.response_code'. - If Log contains application protocols such as HTTP, FTP etc, are mapped to 'network.application_protocol'. - If Target IP and Principal Hostname are not null then metadata.event_type mapped to 'NETWORK_UNCATEGORIZED'. - If Source Ip and Principal Hostname are not null then metadata.event_type mapped to 'STATUS_UPDATE'. |