Change log for NIX_SYSTEM
| Date | Changes |
|---|---|
| 2026-01-27 | Updated grok pattern to support new fields of logs in the legacy backward compatibility code. - `security_result.severity_details`: Newly mapped `severity` raw log field with `security_result.severity_details` UDM field for specific log pattern logs. - `security_result.severity`: Newly mapped `severity` raw log field with `security_result.severity` UDM field for specific log pattern logs. - `metadata.product_log_id`: Newly mapped `facility` raw log field with `metadata.product_log_id` UDM field for specific log pattern logs. |
| 2026-01-23 | - `principal.ip`: Removed mapping of invalid IP address value from `principal.ip` UDM field for `tufin-server` log.
- `principal.asset.ip`: Removed mapping of invalid IP address value from `principal.asset.ip` UDM field for `tufin-server` log. - `target.user.userid`: Newly mapped `User ID` raw log field with `target.user.userid` UDM field for `tufin-server` log. - `target.user.user_display_name`: Newly mapped `User name` raw log field with `target.user.user_display_name` UDM field for `tufin-server` log. |
| 2026-01-08 | - Added a grok pattern to support new pattern of logs in the `syslog` source path to map fields more accurately from earlier legacy support which will update the mapping as below:
- `target.hostname`: Removed mapping of `hostname` raw log field from `target.hostname` UDM field for NetworkManager process logs. - `target.asset.hostname`: Removed mapping of `hostname` raw log field from `target.asset.hostname` UDM field for NetworkManager process logs. - `intermediary.hostname`: Removed mapping of `hostname` raw log field from `intermediary.hostname` UDM field for NetworkManager process logs. - `principal.hostname`: Mapped `hostname` raw log field with `principal.hostname` UDM field for NetworkManager process logs. - `target.application`: Removed mapping of `process` raw log field from `target.application` UDM field for NetworkManager process logs. - `target.platform`: Removed mapping of `LINUX` for `target.platform` UDM field for NetworkManager process logs. - `principal.platform`: Set `principal.platform` UDM field `LINUX` for NetworkManager process logs. - `principal.process.command_line`: Mapped `process` raw log field with `principal.process.command_line` UDM field for NetworkManager process logs. - `security_result.description`: Newly mapped `description` raw log field with `security_result.description` UDM field for NetworkManager process logs. - `security_result.severity`: Newly mapped `severity` raw log field with `security_result.severity` UDM field for NetworkManager process logs. |
| 2025-12-16 | - Support was added for log format that contain the `SyslogMessage` as a separate field in JSON format.
|
| 2025-12-12 | Enhanced GROK pattern to support new pattern of logs. |
| 2025-12-01 | Updated grok pattern to support new structure of logs in the legacy backward compatibility code. - principal.ip: Newly mapped `rhost` raw log field with `principal.ip` UDM field if the raw log field `process` has value `sshd` and if the raw log field `action` has value `authentication success`. - principal.asset.ip: Newly mapped `rhost` raw log field with `principal.asset.ip` UDM field if the raw log field `process` has value `sshd` and if the raw log field `action` has value `authentication success`. - principal.user.userid: Newly mapped `ruser` raw log field with `principal.user.userid` UDM field if the raw log field `process` has value `sshd` and if the raw log field `action` has value `authentication success`. - security_result.description: Newly mapped `description` raw log field with `security_result.description` UDM field if the raw log field `process` has value `sshd` and if the raw log field `action` has value `authentication success`. - metadata.event_type: Newly mapped the value `USER_LOGIN` with `metadata.event_type` UDM field if the raw log field `process` has value `sshd` and if the raw log field `action` has value `authentication success`. - extensions.auth.mechanism: Newly mapped the value `USERNAME_PASSWORD` with `extensions.auth.mechanism` UDM field if the raw log field `process` has value `sshd` and if the raw log field `action` has value `authentication success`. - security_result.action: Newly mapped the value `ALLOW` with `security_result.action` UDM field if the raw log field `process` has value `sshd` and if the raw log field `action` has value `authentication success`. - network.application_protocol: Newly mapped the value `SSH` with `network.application_protocol` UDM field if the raw log field `process` has value `sshd` and if the raw log field `action` has value `authentication success` and if the raw log field `proto` has value `ssh`. |
| 2025-11-25 | Added condition to exclude logs containing "NetworkManager" from being processed through the log source paths `/var/log/apache2/access.log` and `/var/log/nginx/access.log`. This change prevents potential parsing issues by ensuring only logs with the expected structure from these specific paths are processed through them. - Added grok pattern to adjust the UDM mapping for the following field: - metadata.product_event_type`: Removed mapping of the value `Simon` of raw log field `process` from `metadata.product_event_type` UDM field and mapped the value `pbs_oucheck` instead for the logs having `Simon` as a process. |
| 2025-11-17 | - Enhanced grok pattern to map the NetworkManager, CROND, and vsftpd processes to `metadata.product_event_type` UDM field. |
| 2025-11-14 | Added grok pattern to support new structure of logs from the `syslog` source path. |
| 2025-11-06 | Added GROK pattern to support new structure of logs. |
| 2025-10-31 | Updated grok pattern to support new structure of logs in the legacy backward compatibility code. |
| 2025-10-30 | Enhanced GROK pattern to support new pattern of logs. |
| 2025-10-13 | Added grok pattern to map the following fields in the legacy backward compatibility code. - target.ip: Newly mapped `DstIP` raw log field with `target.ip` UDM field. - target.port: Newly mapped `DstPort` raw log field with `target.port` UDM field. - principal.ip: Newly mapped `SrcIP` raw log field with `principal.ip` UDM field. - principal.port: Newly mapped `SrcIP` raw log field with `principal.port` UDM field. |
| 2025-10-10 | - Added a grok pattern to parse logs from the `syslog` source path in JSON format.
|
| 2025-09-09 | - target.user.userid: Added grok pattern to remove mapping of the partial value of `username` from the `target.user.userid` UDM field and mapped the complete value of `username` instead.
|
| 2025-09-08 | Added a grok pattern to support new structure of logs. - metadata.product_event_type: Newly mapped `process` raw log field with `metadata.product_event_type` UDM field. - principal.process.pid: Newly mapped `process_id` raw log field with `principal.process.pid` UDM field. |
| 2025-08-26 | - Added a grok pattern to parse logs from the `syslog` source path in JSON format.
|
| 2025-06-30 | Updated grok pattern to support new structure of "syslog" logs. |
| 2025-04-28 | intermediary.hostname |
| 2025-03-11 | Added grok pattern to support new schema structure of "kernel" logs. |
| 2025-02-11 | Updated grok pattern to support new structure of "syslog" logs. |
| 2025-01-22 | Added grok pattern to support new structure of "kernel" log. |
| 2025-01-17 | Added support for dropped logs of the "Could not load host key" and "Set" actions logs in sshd. |
| 2024-12-26 | Updated grok pattern to support new structure of "mail" log. |
| 2024-12-26 | Updated grok pattern to support new structure of "mail" log. |
| 2024-11-26 | Added support for dropped logs of the "reprocess" action logs in sshd. |
| 2024-10-25 | Promoted the parser to default. |