Change log for KITEWORKS
| Date | Changes |
|---|---|
| 2025-11-14 | Enhancement:
- Mapped Kiteworks JSON formatted logs to UDM fields. - `event.idm.read_only_udm.additional.fields`: Newly mapped `subscriptionId`, `payload.data.context`, `payload.data.geolocation_source.source`, `payload.data.geolocation_source.source_with_kw`, `payload.appname`, `payload.procid`, `payload.flag`, `payload.tenant_id` raw log field(s) with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.intermediary`: Newly mapped `intermediary_host` raw log field(s) with `event.idm.read_only_udm.intermediary` UDM field. - `event.idm.read_only_udm.metadata.description`: Newly mapped `payload.description` raw log field(s) with `event.idm.read_only_udm.metadata.description` UDM field. - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `webhookId` raw log field(s) with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.network.http.parsed_user_agent`: Newly mapped `payload.user_agent` raw log field(s) with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - `event.idm.read_only_udm.network.http.user_agent`: Newly mapped `payload.user_agent` raw log field(s) with `event.idm.read_only_udm.network.http.user_agent` UDM field. - `event.idm.read_only_udm.network.session_id`: Newly mapped `payload.data.session` raw log field(s) with `event.idm.read_only_udm.network.session_id` UDM field. - `event.idm.read_only_udm.principal.application`: Newly mapped `payload.client_name` raw log field(s) with `event.idm.read_only_udm.principal.application` UDM field. - `event.idm.read_only_udm.principal.asset.product_object_id`: Newly mapped `payload.client_id` raw log field(s) with `event.idm.read_only_udm.principal.asset.product_object_id` UDM field. - `event.idm.read_only_udm.principal.hostname`: Newly mapped `payload.host` raw log field(s) with `event.idm.read_only_udm.principal.hostname` UDM field. - `event.idm.read_only_udm.principal.ip`: Newly mapped `payload.user_ip`, `payload.source_ip` raw log field(s) with `event.idm.read_only_udm.principal.ip` UDM field. - `event.idm.read_only_udm.principal.user.attribute.labels`: Newly mapped `payload.user_type` raw log field(s) with `event.idm.read_only_udm.principal.user.attribute.labels` UDM field. - `event.idm.read_only_udm.principal.user.product_object_id`: Newly mapped `payload.user_id` raw log field(s) with `event.idm.read_only_udm.principal.user.product_object_id` UDM field. - `event.idm.read_only_udm.principal.user.userid`: Newly mapped `payload.user_name` raw log field(s) with `event.idm.read_only_udm.principal.user.userid` UDM field. - `event.idm.read_only_udm.security_result.action`: Newly mapped `payload.successful` raw log field(s) with `event.idm.read_only_udm.security_result.action` UDM field. - `event.idm.read_only_udm.security_result.severity`: Newly mapped `payload.severity` raw log field(s) with `event.idm.read_only_udm.security_result.severity` UDM field. - `event.idm.read_only_udm.target.application`: Newly mapped `payload.application` raw log field(s) with `event.idm.read_only_udm.target.application` UDM field. - `event.idm.read_only_udm.target.hostname`: Newly mapped `payload.app_host` raw log field(s) with `event.idm.read_only_udm.target.hostname` UDM field. - `event.idm.read_only_udm.target.resource.attribute.labels`: Newly mapped `tenantId` raw log field(s) with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - `event.idm.read_only_udm.metadata.event_type`: If `payload.event_field` is `user_logged_out`, updated to `USER_LOGOUT`. - `event.idm.read_only_udm.extensions.auth.type`: If `msg` or `payload.event_field` has a value, updated to `MACHINE`. - Parsing logic updated to prioritize direct JSON parsing of the entire log message. If JSON parsing fails, it falls back to the previous grok-based syslog parsing logic. - Added logic to parse `payload.timestamp` using the `ISO8601` format. |
| 2025-09-26 | - Added support for new format of logs.
- event.idm.read_only_udm.metadata.description: Newly mapped `log_message`, `description`, `full_log` raw log field with `event.idm.read_only_udm.metadata.description` UDM field. - event.idm.read_only_udm.target.ip: Newly mapped `host_ip`, `data.node_ip` raw log field with `event.idm.read_only_udm.target.ip` UDM field. - event.idm.read_only_udm.target.asset.ip: Newly mapped `host_ip`, `data.node_ip` raw log field with `event.idm.read_only_udm.target.asset.ip` UDM field. - event.idm.read_only_udm.target.hostname: Newly mapped `host`, `app_host` raw log field with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.target.asset.hostname: Newly mapped `host` raw log field with `event.idm.read_only_udm.target.asset.hostname` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly mapped `http_user_agent`, `user_agent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.network.http.parsed_user_agent: Newly mapped `http_user_agent`, `user_agent` raw log field with `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field. - event.idm.read_only_udm.principal.process.pid: Newly mapped `pid`, `process_pid` raw log field with `event.idm.read_only_udm.principal.process.pid` UDM field. - event.idm.read_only_udm.principal.application: Newly mapped `application` raw log field with `event.idm.read_only_udm.principal.application` UDM field. - event.idm.read_only_udm.network.session_duration.seconds: Newly mapped `request_time_seconds` raw log field with `event.idm.read_only_udm.network.session_duration.seconds` UDM field. - event.idm.read_only_udm.network.session_duration.nanos: Newly mapped `request_time_nanos` raw log field with `event.idm.read_only_udm.network.session_duration.nanos` UDM field. - event.idm.read_only_udm.network.http.response_code: Newly mapped `status` raw log field with `event.idm.read_only_udm.network.http.response_code` UDM field. - event.idm.read_only_udm.network.http.method: Newly mapped `http_method` raw log field with `event.idm.read_only_udm.network.http.method` UDM field. - event.idm.read_only_udm.target.url: Newly mapped `target_url` raw log field with `event.idm.read_only_udm.target.url` UDM field. - event.idm.read_only_udm.network.email.mail_id: Newly mapped `msgid` raw log field with `event.idm.read_only_udm.network.email.mail_id` UDM field. - event.idm.read_only_udm.network.application_protocol: Newly mapped `app_protocol_output`, `http_version` raw log field with `event.idm.read_only_udm.network.application_protocol` UDM field. - event.idm.read_only_udm.network.application_protocol_version: Newly mapped `method_version` raw log field with `event.idm.read_only_udm.network.application_protocol_version` UDM field. - event.idm.read_only_udm.network.sent_bytes: Newly mapped `bytes_sent` raw log field with `event.idm.read_only_udm.network.sent_bytes` UDM field. - event.idm.read_only_udm.network.received_bytes: Newly mapped `request_length` raw log field with `event.idm.read_only_udm.network.received_bytes` UDM field. - event.idm.read_only_udm.network.http.referral_url: Newly mapped `http_referer_filtered` raw log field with `event.idm.read_only_udm.network.http.referral_url` UDM field. - event.idm.read_only_udm.principal.ip: Newly mapped `remote_addr`, `user_ip` raw log field with `event.idm.read_only_udm.principal.ip` UDM field. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `remote_addr`, `user_ip` raw log field with `event.idm.read_only_udm.principal.asset.ip` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `context`, `data.reference_id`, `id` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `remote_user`, `from`, `user_id` raw log field with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.target.user.userid: Newly mapped `to` raw log field with `event.idm.read_only_udm.target.user.userid` UDM field. - event.idm.read_only_udm.target.file.full_path: Newly mapped `data_file_path`, `data_file` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field. - event.idm.read_only_udm.target.file.size: Newly mapped `data_file_size` raw log field with `event.idm.read_only_udm.target.file.size` UDM field. - event.idm.read_only_udm.target.file.mime_type: Newly mapped `data_file_mime` raw log field with `event.idm.read_only_udm.target.file.mime_type` UDM field. - event.idm.read_only_udm.target.file.md5: Newly mapped `data_file_hash` raw log field with `event.idm.read_only_udm.target.file.md5` UDM field. - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped `hash_label` raw log field with `event.idm.read_only_udm.target.resource.attribute.labels` UDM field. - event.idm.read_only_udm.principal.hostname: Newly mapped `url_host` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped `session`, `data.session` raw log field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.target.resource.product_object_id: Newly mapped `data_file_id` raw log field with `event.idm.read_only_udm.target.resource.product_object_id` UDM field. - event.idm.read_only_udm.target.file.names: Newly mapped `data_file_name` raw log field with `event.idm.read_only_udm.target.file.names` UDM field. - event.idm.read_only_udm.network.tls.cipher: Newly mapped `cipher` raw log field with `event.idm.read_only_udm.network.tls.cipher` UDM field. - event.idm.read_only_udm.security_result.category_details: Newly mapped `event_data` field with `event.idm.read_only_udm.security_result.category_details` UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped agent.id`,`agent.name`,`decoder.name`,`rule.main`,`request_filtered_label`, `groups_label`, `http_x_forwarded_for`, `msec`, `body_bytes_sent`, `queue_id`, `size`, `class`, `nrcpts`, `dsn`, `ctladdr`, `xdelay`, `mailer`, `pri`, `delay`, `data.file.file_id`, `tenant_id`, `user_type`, `client_device`, `flag`, `data.file.file_uploader.profile.id`, `data.file.file_uploader.profile.name`, `data.is_folder_upload`, `data.context`, `data.geolocation_source.source`, `data.geolocation_source.source_with_kw`, `data.file.file_uploader.guid`, `daemon`, `verify`, `bits`, `STARTTLS`, `ec_object_id`, `rule.firedtimes`, `location`, `data.file.version`, `data.file.ec_object_id`, `data.parent_folder.path`, and `data.parent_folder.ec_source` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.network.tls.version: Newly mapped `version` raw log field with `event.idm.read_only_udm.network.tls.version` UDM field. - event.idm.read_only_udm.intermediary: Newly mapped `intermediary1`, `intermediary` raw log field with `event.idm.read_only_udm.intermediary` UDM field. - event.idm.read_only_udm.about: Newly mapped `about` raw log field with `event.idm.read_only_udm.about` UDM field. - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped `user_name` raw log field with `event.idm.read_only_udm.principal.user.user_display_name` UDM field. - event.idm.read_only_udm.principal.hostname: Newly mapped `manager.name` raw log field with `event.idm.read_only_udm.principal.hostname` UDM field. - event.idm.read_only_udm.metadata.event_type: If has_principal is "true" and has_target is "true" and has_target_file is "true", updated to FILE_CREATION. - event.idm.read_only_udm.metadata.event_type: If has_principal is "true" and has_target is "true" and app_protocol_output matches "HTTP", updated to NETWORK_HTTP. - event.idm.read_only_udm.metadata.event_type: If has_principal is "true" and has_target is "true", updated to NETWORK_CONNECTION. - event.idm.read_only_udm.metadata.event_type: If has_principal_user is "true", updated to USER_UNCATEGORIZED. |
| 2023-11-10 | - Newly created parser.
|