Change log for IBM_WEBSEAL
| Date | Changes |
|---|---|
| 2025-10-08 | Enhancement:
- Removed the default assignment of `0.0.0.0` to `event.idm.read_only_udm.target.ip` when the `target_ip` raw field is empty. This change is made so that GCP can correctly enrich the destination instance. - `event.idm.read_only_udm.network.http.method`: Newly mapped `http_method` raw log field to `event.idm.read_only_udm.network.http.method`. - `event.idm.read_only_udm.additional.fields`: Newly mapped `http_version`, `http_uri`, `caca`, `@version` and `logtype` raw log field to `event.idm.read_only_udm.additional.fields`. - Modified grok patterns to extract `http_method`, `http_uri`, and `http_version` from the `URI` raw log field. - Refined parsing for `code_resp`, `response_code`, and `res_code` to only process values that match a standard HTTP response code format (`^[1-5][0-9]{2}$`). - Updated `metadata.event_type` from `NETWORK_CONNECTION` to `STATUS_UPDATE` for certain log entries. - Modified the condition for mapping `network.tls.version` to not allow empty spaces in `temp_data`. |
| 2025-03-03 | Enhancement:
- Mapped "src_host" to "principal.hostname" - Mapped "src_app" to "principal.application" - Mapped "network_method" to "network.http.method" - Mapped "dst_url" to "target.url" - Mapped "app_protocol" to "additional.fields" - Mapped "res_code" to "network.http.response_code" - Mapped "sent_bytes" to "network.sent_bytes" - Mapped "rec_bytes" to "network.received_bytes" - Mapped "app_proto" to "network.application_protocol" - Mapped "src_port" to "principal.port" - Mapped "dst_host" to "target.hostname" - Mapped "level" to "security_result.severity" - Mapped "error" to "target.resource.attribute.labels" - Mapped "description" to "security_result.description" - Mapped "operation" to "target.user.attribute.labels" - Mapped "username" to "target.user.userid" - Mapped "authSourceCode" to "additional.fields" - Mapped "accountValid" to "additional.fields" - Mapped "passwordValid" to "additional.fields" - Mapped "hashedPassword" to "additional.fields" - Mapped "registryDn" to "target.user.attribute.labels" - Mapped "secUserDn" to "target.resource.attribute.labels" - Mapped "passwordResetAllowed" to "additional.fields" - Mapped "nonExpiringPassword" to "additional.fields" - Mapped "customPasswordPolicy" to "additional.fields" - Mapped "authSource" to "additional.fields". |
| 2024-01-22 | Enhancement: Added Grok patterns to support new format of logs.
|
| 2023-11-17 | Newly created parser. |